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Who am I? 


| am an executive hacker. 
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Hacking Anything to Secure Everything 


AA. 
X-Force Red is an Penetration © Adversary V Vulnerability w 
autonomous team of Testing Simulation E A Management 
veteran hackers, 
within IBM Security, Test your applications, Simulate real-world Rank and remediate 
hired to break into networks, hardware, attacks and measure vulnerabilities 


organizations and personnel and more your security team's targeting your most 
uncover vulnerabilities to uncover and fix response important assets 


that criminals may use vulnerabilities 
for personal gain. 
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X-Force Red is different 


Real-time view into t 


Clients see and remediate vulnerabilities as they are L 


Hack anything criminals 
can hack 


Decades of hacking 
experience professionally 
and personally 


Manual penetration testing 
virtually and physically, 
no questionnaires 


Engineers and developers 
who also have security 
expertise 


ng programs 


Automated Vulnerability 
prioritization based on 
weaponization and asset 
value 


Fixed price with 
subscription testing 
program. 


with the X-Force | 


Red Portal. 


ncove 


Four secure, global “X- 
Force Red Labs” for loT, 
lloT, OT testing 


ATM Testing service 


Red teaming service 
separate from 
penetration testing 


What is 
hacking? 
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Hacking is: Problem Solving 


Trying to make something do 
something it can't 
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Why do 
vulnerabilities 


matter? 


Average number of vulnerabilities reported by 
scanners in enterprise client environments at any 
point in time 
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Percentage of vulnerabilities that have associated 
public exploits 


Why does the 
world focus on 


use cases? 


Humans focus on the activities 
that they can relate to carrying 
out themselves. 


When people look at a widget, we see the widget as 
they would be likely to use it. 


Developers often have issues envisioning the use cases 
of a product and have specific design thinking activities 
to flesh out use cases they may not immediately see. 


The value of function is often subjective. 


The hacker approach to problem 
solving is often unique. 


While most people are focused on using things in the 
intended manner, the hacker is focused on making 
something work in a way it was never intended. 


The guard rails of intended use of a widget often leave 
open a wide array of unintended uses. 


The value of unintended use is often extremely high. 


There is nothing wrong with using a butter knife as a 
screwdriver unless you have a Phillips head screw. 


How do use 
cases compare 


to abuse cases? 


Example One: Frequent Use cases for airlines: 


Fliers 
— Frequent flier 


numbers establish 
unique identifiers for 
VIP customers 


Including frequent flier 
on boarding passes 
allows for easier 
determination of 
status benefits 


Including record 
locators on boarding 
passes allows for them 
to easily be passed 
between airlines 


Basic passenger details 
are required to be on 
boarding passes by the 
TSA 
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Example One: Frequent Use cases for fliers: 


Fliers 
— Frequent flier 


numbers and 
programs allow fliers 
to earn rewards 


Status allows frequent 
fliers to board the 
plane early, check free 
bags, and earn 
upgrades. 


Frequent flier 
programs tie nicely to 
airline system 
accounts. This easily 
enables frequent fliers 
to track, maintain, and 
retrieve flight 
information across 
multiple systems. 


Example One: Frequent 
Fliers 


Abuse case for attackers: 


The information required 
to retrieve or alter a 
reservation is the same 
information on the 
boarding pass. This 
same information can 
often (depending on 
airline) be used to reset 
account passwords. 


These boarding passes 
are often left in seat 
back pouches or airport 
trashcans. Frequent 
fliers are often oblivious 
to the value of the 
information they leave 
behind. 


Example Two: SMS Use cases for 
Authentication developers: 


— SMS authentication 
provides an easy 
method for two-factor 
authentication and 
password resets. 


— The ubiquitous nature 
of mobile phones 
today provides an 


almost guaranteed 
availability of SMS for 
almost all users. 


SMS authentication 
often meets 
compliance 
requirements. 
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Example Two: SMS Use cases for users: 
Authentication 
— SMS authentication is 
fairly simple for even 
novice users. 


Users generally carry 
their phone with them 
at all times and, in 
many cases, use their 
phones more than 
computers or other 


devices which may 
require 
authentication. 


Example Two: SMS Use case for attackers: 
Authentication 


SIM Swapping 


SIM Swapping: 
A Deeper Dive 


Cities are smart! 


— Smart technology allows city employees to manage 
infrastructure remotely at a much lower cost. 


— What once required onsite maintenance can now be 
done guickly and cheaply. 


— Infrastructure monitoring devices allow city staff to 
learn of issues before they become problems. 
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Technology, not so much... 


X-Force Red found 17 zero-day vulnerabilities within four smart city 
products. Research unveiled at Black Hat USA 2018. Landed 100+ media 
stories worldwide. 
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So, what should you do? 


— Just as you brainstorm to flesh out use cases, critically 
discuss possible abuse cases with developers, 
executives, and outsiders. 


— Plan for abuse and conduct threat modeling. 


— Have a third-party test extensively and manually to 
ensure that your solution is vetted. 


— Understand that the worst possible scenario is likely 
the scenario you do not consider. 


Questions”? 


(S X-Force Red 


Thank you 


Follow us on: 


X-Force Red 
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